If you follow me, I’ll OSINT you

I tend to have a look at the profiles following me on Twitter or trying to connect on LinkedIn. On LinkedIn I’ve become a little picky on whom to connect with and they have to match my career interests. On Twitter I just look for reds flags in general. If your profile promotes racism and hate speech, deliberately spreads disinformation or supports Borussia Dortmund, I will block you (just kidding on the last one). Of course, I can’t do a deep dive into each and every follower on Twitter. But today I would like to show you what kind of red flags I look for and how these can lead to further investigations.

Follow me and I’ll check out your profile

Around lunch time I noticed a new follower on Twitter.

Martin recently joined Twitter and hasn’t tweeted yet. He is following 25 accounts, has no followers of his own and something about his profile picture is odd.

Since I have created many pictures using This Person Does Not Exist, I could immediately tell that the image above was created on that site. The alignment of the eyes, the weird ears and several other glitches were a sure sign of this. My buddy Nixintel wrote a great blog on how to identify such images a while back and I highly encourage you to read it.

Next up, I had a look at the other accounts Martin choose to follow. Most of them where Russia-friendly accounts, often spreading Russian propaganda, some even known conspiracy theorists. Net to the apparent German name, Martin was following German-speaking people on Twitter. So I am pretty sure he is German-speaking as well.

And in between all these, there where some accounts that actually investigate the general topics I mentioned above (Russia & disinformation). For me, this leaves two possibilities: Martin is either interested in the Russian propaganda and conspiracy theories from an investigative standpoint, or he supports them. It is not uncommon for supporters of conspiracy theories or foreign propaganda to follow those who try to debunk this disinformation (e.g. Bellingcat), so they can troll them. But why did he choose to follow me then, and not only me but also OSINTgeek?

OSINTgeek and I have many things in common, but none of these is any affiliation with the aforementioned topics. However, we are currently best known for organizing the German Open Source Intelligence Conference (or GOSINTCon). I could not see any interaction between Martin and the GOSINTCon Twitter account, so I decided to check our LinkedIn profile. Among the followers we received this afternoon, I found the following account:

Both follows must have happened roughly around the same time. Now let’s have a look at this Martin Krüger.

Same name, different picture and also 25 connections. The picture seemed a little too good looking in my opinion. I ran a quick reverse image search on the profile picture and could see it was an often used stock photo. This was so obvious, that even Google found it!

The fact that this profile only had 25 connections, led to the assumption that it was recently created. Looking into the CV posted on LinkedIn I saw several other things that caught my eye.

I googled the name in connection with the mentioned employers and came up completely empty handed. The CV shown here also had some inconsistencies. Large gaps between apparent jobs, and to me it looked like someone just quickly and very sloppily punched something into to LinkedIn here with a mix of German and English.

All in all, both profiles seem to be sock puppets in my opinion. I thought about if I should write this up or not, as there is a very slight chance that Martin does exist. However, the name is quite common in Germany and nothing shown here can be considered as doxxing. So, this goes out to Martin:

If you are real, you might want to clean up your LinkedIn profile. Those inexplicable gaps in your CV certainly will not help your career. If you are indeed a sock puppet: gotcha! You might want to read about how to set up a proper sock puppet on the OSINT curious site or another example of how not to do so on my blog. And while sock puppets are not a topic in this year’s GOSINTCon, come back next year and we might have a talk on that.

Matthias Wilson / 16.11.2020

Saving Images from Google Maps and Street View

Ever wonder how to properly save a Google photo sphere image? Have you just been taking screenshots of them so far? Well, I have another solution for you.

During my investigations I often end up browsing through Google Maps and Google Street View. Besides the official imagery, Google allows users to upload their own 360° panoramic pictures, so-called photo spheres. These are georeferenced (most of the time) and can be found in the same way you access Street View. A while back I learned you didn’t have to pull the yellow dude onto the map and that you could just click on him. For more information on what you can do with Google Maps and where I actually learned the trick with the little yellow dude, just check out OSINT Techniques‘ great 10 Minute Tip on Youtube.

Now, lets assume we are looking into an area that doesn’t have proper Street View coverage. In this case I want to see if there any photo spheres in a small Syrian town just south of Idlib. I’m lucky and I can find three of them marked on the map.

1

By clicking on the sphere itself, it will open this individual image. Let’s click on the one furthest to the west (on the left).

2

Now I can change my point of view by pivoting the image and I can also see which user uploaded this image and when it was uploaded. So far, if I wanted to save a copy of this image I would take a screenshot (or rather multiple screenshots). However, there is way to gain access to the complete image and as a matter of fact to any image that is uploaded to Google Maps, including a larger version of the profile picture seen here.

For this, we need to open the developer tools in our browser. While it could also be done in Chrome or Chromium-based browsers, I prefer using the developer tools in Firefox. Just press Ctrl+Shift+C to access the developer console or you can access it from the Firefox menu (Web Developer/Inspector). It will then look like this:

3

I have the console located in the bottom half of the screen, the default value usually opens it on the right side of the screen. I’m not going to go into details on all the functionalities of this console, for more information check out Webbreacher‘s 10 Minute Tip on Youtube. I want to direct your attention to the network panel. Clicking on the network panel will show you all the queries performed when you access the page you are viewing. As you can see, Google loads several JPG files for the image displayed above.

4

Rather than viewing all the traffic, we could also drill down to just images. But again, watch Webbreacher’s video for more details on what can be done with web developer tools. I said Google was loading several JPGs; actually Google is just loading one JPG but defines what we see by subdividing the JPG into different sections. Each section is defined by basic coordinates, depending on where in the overall image this pic is located. By hovering the mouse over the entries, you can see which section it relates to.

5

Here we can see a 512×512 pixel excerpt of a larger image. The coordinates show where the section is located horizontally in the image (x-axis) vertically (y-axis) and how far we have zoomed in (z-axis/value). As you can see, hovering over the entry will also display the link to the image. By clicking on this network event, we can see further details in a new panel on the right and from here copy the image URL (I compressed the traffic view in the following screenshot).

6

The URL can then be opened in a new tab. But before I show you the results, let me alter the URL a bit. Instead of opening the image with the coordinate-extension (e.g. =x1-y0-z”), I’ll open the image with an extension that alters the size. In this case I will use “=s8000”, with the number 8000 being the number of horizontal pixels (Google will auto-adjust the vertical pixel-number accordingly). Fairly high quality photo spheres may even allow larger resolutions.

7

Now just right-click and download the image just as you would download any other picture. Here’s what I’ve downloaded, a 8000×4000 pixel complete photo sphere. This size will easily enable me to zoom in and have a look at further details.

8

Seeing that we can download images from Google maps this way, let’s try out what else could be downloaded in higher resolutions. Remember the icon of the Google user that uploaded this picture? It is possible to download this icon in a larger resolution as well, and in fact any other picture that this person uploaded. For that, let’s just look the user’s “Local Guide” profile by clicking on his username.

9

On the “Local Guide” profile you can finds reviews and further images. To access them and the profile pic, just click on an image and open it. Again we will access the developer tools and have a look at the network traffic. Hovering over the entries will give us a preview and we can quickly identify the profile pic.

10

Copy the URL and manipulate the extension that defines the size or erase this extension completely. Then it usually displays the image at a standard 512×512 resolution or the original resolution (if smaller than 512×512). This is especially useful for profile pictures of people, as the enhanced image might allow you to do a proper reverse image search.

11

The shown techniques will enable you to download any picture from Google Maps, whether it is a photo sphere or an image posted by a “Local Guide”.  If this is too much too read for you, I will be creating a 10 Minute Tip on this topic for OSINT Curious. You’ll find that on Youtube soon. Oh wait, I should’ve stated that to begin with…

Matthias Wilson / 01.07.2020